The latest came on Friday from the Wall Street Journal. The top-line finding: Eleven health and fitness apps shared sensitive data, such as heart rates, menstrual cycles or pregnancy statuses, with Facebook. This occurred whether or not a user had a Facebook account.

"It's misleading when mobile app developers point to their privacy policies as a reason why the data collection should be expected. Privacy policies virtually never dig into the details and are usually slyly crafted to reassure."

The data was sent because the apps used Facebook's mobile analytics SDK, which collects information that helps for better ad targeting. The SDK allows app developers to create new advertiser segments. These "buckets" - broad categories such as age brackets or whether someone is a sports enthusiast - can then be used to target ads. The ad industry maintains that this method protects people's privacy, as the generalized categories don't reveal any specific, identifying information.

Facebook advises app developers not to send it health and financial information. The company also says it didn't use the data for advertising. Sending that kind of data would violate its terms and conditions, Facebook tells the Journal. But the newspaper reports that users had no way of opting out of that kind of data transfer.

The story raises concerning questions about users' expectations when they download an app, the opaqueness around what the app is actually doing and how this relates to privacy law.

Meanwhile, New York Governor Andrew Cuomo has ordered two state agencies to investigate the Journal's report that Facebook may be accessing far more personal information than previously known, the Guardian reports.

Blaming the User

There's a tendency to blame the victim, although calling app users victims is probably hyperbole. The argument runs like this: If you don't want your personal data collected and transferred to unnamed companies, don't use the app.

This seems like a fair point on the surface. Mobile apps have to generate revenue, and that is largely done through targeted advertising, which is based on collecting location data, app activity, browsing activity and a variety of other metrics. Consumers should know by now this is a common practice that makes unpaid apps possible.

But clearly, they don't. And that's because some online advertising companies and app developers haven't been forthright about what's going on under the hood of their services. They've rightly anticipated that if users knew the full details of how their personal data was collected and shuffled around, the response may be: "No way. Bye."

It's misleading when mobile app developers point to their privacy policies as a reason why the data collection should be expected. Privacy policies virtually never dig into the details and are usually slyly crafted to reassure.

The only accurate way to figure out what data an app is transmitting is to man-in-the-middle the traffic with a web debugging proxy and scan data fields. That's unreasonable for most users.

Zeynep Tufekci, a privacy expert and associate professor at the University of North Carolina at Chapel Hill, concisely sums up the problem:

Every part of this data chain will say oh look at some other part is doing this or that. They're all correct. The whole surveillance-industrial complex is corrupt and its mechanisms are not clear to ordinary people.

This shouldn't be the case. The Journal, for example, spoke to a 25-year-old woman who used Flo, a menstrual cycle app. After learning her health data was transferred to Facebook, she was considering deleting it.

Flo's privacy policy appeared to give assurance that the kind of information it collected, such as menstrual cycle, wouldn't be shared. Following the Journal's story, Flo said it would limit its use of external analytics systems while it conducts a privacy audit.

Keeping Track Is Challenging

With tens of thousands of mobile apps, it's impossible for investigative journalists and privacy researchers to keep up. The data sent one day may be different than the data sent five days and two updates later.

There is a fair argument about the balance of the Journal's story, which seemed to cast Facebook in a shady light. Then again, Facebook was only the recipient of the data sent by the 11 apps. The responsibility lies with the app developers, writes Antonio Garcia Martinez, an author who was Facebook's first product manager for targeted advertising.

Is it weird that an app developer is segmenting you by heartrate, and maybe using that to vary your experience, or even target you with ads (say, heart meds if you seem ill). Yeah, it is. Some users might well find that objectionable, and should get angry...at the app developer.

With its lingering data foibles and general shadiness, it's hard to see how Facebook would get off easy here, but Martinez has a solid point. He also highlights that the technical documentation for the analytics SDK has been public for five years, suggesting the story may be more of a scoop of perception than a breaking-news exposé.

But clearly there's a case to be answered here by Apple, Facebook and Google, which also has an analytics SDK for Android apps. The companies are in the best position to do the technical testing to figure out what data apps are sending and whether there's friction between user expectations and privacy policies.

Until those gaps are closed, stories such as the Journal's will still hold unwelcome surprises.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.